Data Processing Agreement

This Data Processing Agreement ("DPA") is between you or the organisation you represent ("Controller" or "Client") and reb∞8 Pvt Ltd ("Processor" or "reb∞8"). It forms part of, and is incorporated into, any agreement for services between the parties (the "Principal Agreement"). It applies where reb∞8 processes personal data on your behalf in connection with the services.

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent provisions under Indian law including the DPDP Act 2023.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by reb∞8 on behalf of the Client under the Principal Agreement.

"Processing" has the meaning given in the GDPR and includes any operation performed on personal data.

"Data Subject" means the individual whose personal data is being processed.

"Sub-processor" means any third party engaged by reb∞8 to process personal data on behalf of the Client.

2. Subject Matter and Nature of Processing

reb∞8 will process personal data as necessary to provide the services described in the Principal Agreement, including data annotation, labeling, evaluation, and managed data operations. Processing is carried out in accordance with the Client's documented instructions as set out in the Outcome Brief and this DPA.

3. Types of Personal Data and Data Subjects

The types of personal data processed may include: names, identifiers, images, voice recordings, text, behavioural data, and any other data included in the datasets provided by the Client for annotation or evaluation. Data subjects may include end users, customers, or other individuals whose data appears in Client-provided datasets. The specific categories will be defined in the applicable Outcome Brief.

4. Obligations of reb∞8 as Processor

reb∞8 shall: (a) process personal data only on documented instructions from the Client, unless required to do so by applicable law; (b) ensure that persons authorised to process personal data are bound by confidentiality obligations; (c) implement the technical and organisational security measures described in Clause 7; (d) assist the Client in responding to Data Subject rights requests, to the extent reasonably possible; (e) assist the Client in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation; (f) at the Client's choice, delete or return all personal data after the end of the provision of services; and (g) make available to the Client all information necessary to demonstrate compliance with this DPA.

5. Client Obligations

The Client warrants that: (a) it has a lawful basis for providing personal data to reb∞8 for processing; (b) it has provided all required notices to, and obtained all required consents from, data subjects; (c) its instructions to reb∞8 comply with applicable data protection law; and (d) it will notify reb∞8 promptly of any changes to applicable law that affect the processing.

6. Sub-processors

The Client grants general authorisation for reb∞8 to engage sub-processors. reb∞8 will maintain a list of sub-processors and notify the Client of any intended changes (additions or replacements) with reasonable prior notice, giving the Client the opportunity to object. reb∞8 will impose data protection obligations on sub-processors equivalent to those in this DPA and remains liable to the Client for sub-processor performance.

7. Technical and Organisational Security Measures

reb∞8 implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: (a) encryption of personal data at rest and in transit; (b) access controls and role-based permissions limiting access to authorised personnel; (c) regular testing and evaluation of security measures; (d) procedures for restoring availability of personal data following a security incident; (e) staff training on data protection and security obligations.

8. Data Breach Notification

reb∞8 will notify the Client without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Client data. Notification will include: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects and records affected; (c) likely consequences; and (d) measures taken or proposed to address the breach. Where complete information is not available within 72 hours, reb∞8 will provide information in phases.

9. International Data Transfers

Where personal data is transferred to a country outside the EEA, UK, or India that has not been determined to provide an adequate level of protection, such transfers will be made subject to appropriate safeguards, including (where applicable) Standard Contractual Clauses as approved by the European Commission. The Client may request a copy of applicable transfer mechanisms.

10. Audit Rights

reb∞8 will make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections, provided that: (a) the Client gives reasonable prior notice; (b) audits are conducted during normal business hours; (c) the Client bears the cost of any audit it initiates; and (d) audit frequency is limited to once per calendar year unless a specific breach or incident requires otherwise.

11. Return and Deletion of Data

Upon termination of the Principal Agreement or upon the Client's request, reb∞8 will, at the Client's election, return or securely delete all personal data processed on the Client's behalf, unless applicable law requires retention. reb∞8 will provide written confirmation of deletion upon request.

12. Duration

This DPA remains in effect for as long as reb∞8 processes personal data on behalf of the Client under the Principal Agreement. Obligations relating to confidentiality and security survive termination.

13. Governing Law

This DPA is governed by the laws of India. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Principal Agreement.

14. Contact and Enquiries

For questions about this DPA or to exercise rights under it, contact:
reb∞8 Pvt Ltd
Email: hello@reboo8.com